malwarewikiaorg-20200223-history
Ragnarok
Ragnarok or RanarokCry is a ransomware that runs on Microsoft Windows. It was discovered by G DATA malware analyst Karsten Hahn. It is part of the MegaCortex family. It is aimed at English-speaking users. Payload Transmission Ragnarok is distribued through exploiting the Citrix ADC vulnerability. When attackers are able to compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for Windows computers vulnerable to the EternalBlue vulnerability. If detected, the scripts would attempt to exploit the Windows devices, and if successful, inject a DLL that downloads and installs the Ragnarok ransomware onto the exploited device. It can also be spreaded by hacking through an unprotected RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, malicious ads, web injects, fake updates, repackaged and infected installers. Infection In order to fly under authority's radar, it excludes users in Russia and other former Soviet Union countries from being encrypted if they become infected. Ragnarok operates in a similar manner by checking the installed Windows Language ID and if it matches one of the following will not perform an encryption of the computer. 0419 = Russia 0423 = Belarus 0444 = Russia 0442 = Turkmenistan 0422 = Ukraine 0426 = Latvia 043f = Kazakhstan 042c = Azerbaijan Strangely, in addition to the CIS countries, Ragnarok will also avoid encrypting victims who have the 0804 language ID for China installed. It then disables Windows Defender by adding the following Windows group policies that disable various protection options in Windows Defender: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender "DisableAntiSpyware" = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection "DisableRealtimeMonitoring" = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection "DisableBehaviorMonitoring" = 1 HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection "DisableOnAccessProtection" = 1 In addition to Windows Defender, Ragnarok will also attempt to clear Shadow Volume Copies, disable Windows automatic startup repair, and turn off the Windows Firewall with the following commands: cmd.exe /c vssadmin delete shadows /all /quiet cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures cmd.exe /c bcdedit /set {current} recoveryenabled no cmd.exe /c netsh advfirewall set allprofiles state off Another strange aspect of this ransomware is the numerous references in the Windows executable to various Unix/Linux file paths such as: "no_name4": "/proc", "no_name5": "/proc/%s/status", "no_name8": "/tmp/crypt.txt", "no_name9": "/proc/%s", "rand_path": "/dev/random", "home_path": "/home/", It is not clear as of yet why these paths are included and what they are used for, but Kremez believes it could be a possible in-development cross-platform targeting being used by the attackers. The rest of the Ragnarok encryption process is similar to what is seen in other ransomware infections. When encrypting files it will use AES encryption and the generated key will be encrypted with a bundled RSA encryption key. This makes it so only the ransomware developers can decrypt the victim's encryption key. When scanning for files to encrypt, Ragnarok will skip any files that have the ".exe", ".dll", ".sys", and ".ragnarok" extensions. It will also skip any files whose path contains the following strings: content.ie5 \temporary internet files \local settings\temp \appdata\local\temp \program files \windows \programdata $ Each encrypted file will have the .ragnarok extension appended to the file name. For example, 1.doc would be encrypted and renamed to 1.doc.ragnarok. While encrypting the computer, it will create a ransom note in every traversed folder called !!ReadMe_To_Decrypt_My_Files.txt. The ransom note states the following: #what happend? Unfortunately your files are encrypted, To decrypt your files follow the instructions 1. you need a decrypt tool so that you can decrypt all of your files 2. contact with us for our btc address if you want decrypt your files or you can do nothing just wait your files gona be deleted 3. you can provide a file which size less than 3M for us to prove that we can decrypt your files after you paid 4. it is wise to pay in the first time it wont cause you more losses DEVICE ID: ---------------------------- - ---------------------------- you can send your DEVICE ID to mail address below asgardmaster5@protonmail.commailto:asgardmaster5@protonmail.com This ransom note contains instructions on what happened to a victim's files, their encrypted decryption key, and three email addresses to contact for payment instructions. It is not known how many bitcoins the attackers are demanding for a decryptor. Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Win32 trojan Category:Trojan